World's largest Bitcoin exchange wants more info from its users.

On Thursday, the world’s largest Bitcoin exchange, Mt. Gox, announced that it would require all users to “be verified in order to perform any currency deposits and withdrawals. Bitcoin deposits do not need verification, and at this time we are not requiring verification for Bitcoin withdrawals.”

The company did not provide any explanation about why it was imposing this new requirement, but it did say that it would be able to process most verifications within 48 hours.

The move comes two days after federal prosecutors went after Liberty Reserve, another online currency that had notoriously poor verification. (In court documents, a federal investigator in that case included an address of “123 Fake Main Street, Completely Made Up City, New York” to create an account that was accepted.) It also comes two weeks after the Department of Homeland Security started investigating Mt. Gox over the possible crime of money transmitting without a license.

Mt. Gox did not immediately respond to requests for comment concerning why this new requirement has been put into place or what exactly it will entail. We will update this story if more information becomes available.

Ehh, yes and no. You can still transfer the currency anonymously, you just have to identify yourself when/if you convert it into dollars or some other form of traditional currency.

Kind of takes away one of Bitcoin's advantages, doesn't it?

Yeah, it absolutely does. But only one. Still a pretty major one.

I'm admittedly not a Bitcoin user, but I don't see that as ever having been a Bitcoin "advantage". I thought it was always clear that the core point of Bitcoin was to be an anonymous currency, not a meta-currency useful only as a temporary intermediary (even if that necessarily would be a significant initial use during ramp-up). Like so much else on the Internet, full anonymity and protection only exists so long as someone sticks purely within the electronic anonymous frameworks. There's a lot someone can do with extremely good privacy, so long as they're willing to stay entirely on the net. But obviously as soon as activities intersect with something like a traditional, fully tracked monetary system, well of course then the rules of that system come into play. There's nothing surprising or wrong about that, it'd be the same as dealing with any other currency, or for that matter in raw gold or bags of uncut diamonds or whatever.

I now see a significant number of useful digital services though (including hosting) that accept Bitcoins directly. That's the sort of thing that's necessary for it to actually be of any real value as a true currency. If/when/as it moves more towards being a currency and less a meta-currency it'll be able to fulfill more of what its creators hoped for. Any intersection with traditional currency will always be rightly regulated though, just as borders are.

There are two certainties in life: death and taxes.. My bitcoins are on one of those two reasons.. and it isn't death.

Yeah...making money in BTCs does not in any way absolve you of your requirement to pay taxes. It doesn't matter if your paid in dollars, BTCs, or chocolate doughnuts, nor does it matter whether or not you earned said income by committing legal or illegal acts. The only difference is that the government won't accept tax payments in BTCs or doughnuts, so you have to convert your income INTO dollars at a market rate.

I believe this was already a requirement for Europeans. I certainly found myself needing to do this, although I forgot the exact reason. Unfortunately, I also found myself unable to prove my identity to them!

They would ask for copies of things like utility bills (my landlord takes care of those), cellphone bills (prepaid card), bank statements (online banking), and health insurance bills (public health care) that I simply did not have. I emailed them about this but they weren't exactly understanding.

I have an ID card and a passport but for some reason they really wanted to verify my address, which those documents say nothing about.

Wasn't anonymity one of the main selling points of BitCoining in the first place?

No matter, everyone can find me at 1313 Mockingbird Ln, anyway.

Uhm, it's your dealings with mtgox that's not anonymous.

You can still make anoymous drug deals all day with Bitcoins, if that's your mindset. (seems like it's something like it). The Bitcoins you bought from mtgox can't be traced to that if you tumble them.

I thought it was always clear that the core point of Bitcoin was to be an anonymous currency,

If so, then they failed miserably.

All of the transactions are publicly recorded. Think about it like a currency started here, arsbucks. It's arguably not a flaw in the currency that if I pay you for a used hard drive you'll probably find out who I "really" am and where I live by virtue of giving me my hard drive.

It's definitely a flaw that anyone else I've done business with can see exactly how many arsbucks I just paid you and correlate that with the ad for your hard drive disappearing.

It also a flaw that the guy who just paid me arsbucks for webhosting can now see that I paid you (or a couple of my own fake arswallets and then you) and lean on you to find out who I am.

Quote:

Like so much else on the Internet, full anonymity and protection only exists so long as someone sticks purely within the electronic anonymous frameworks.

True, but Bitcoin in particular suffers from the additional shortcoming that you can follow a transaction trail back or forwards arbitrarily far. In addition to assisting legitimate law enforcement, the public transaction records could be used to set up to flag individuals who are a couple of financial transactions removed from criminal activity.

I thought it was always clear that the core point of Bitcoin was to be an anonymous currency,

If so, then they failed miserably.

All of the transactions are publicly recorded. Think about it like a currency started here, arsbucks. It's arguably not a flaw in the currency that if I pay you for a used hard drive you'll probably find out who I "really" am and where I live by virtue of giving me my hard drive.

It's definitely a flaw that anyone else I've done business with can see exactly how many arsbucks I just paid you and correlate that with the ad for your hard drive disappearing.

It also a flaw that the guy who just paid me arsbucks for webhosting can now see that I paid you (or a couple of my own fake arswallets and then you) and lean on you to find out who I am.

Quote:

Like so much else on the Internet, full anonymity and protection only exists so long as someone sticks purely within the electronic anonymous frameworks.

True, but Bitcoin in particular suffers from the additional shortcoming that you can follow a transaction trail back or forwards arbitrarily far. In addition to assisting legitimate law enforcement, the public transaction records could be used to set up to flag individuals who are a couple of financial transactions removed from criminal activity.

Not really. Wallets are not tied to IP addresses or persons and you can have as many as you want.

You can see that wallet A sent 10 BTC to wallet X, but you usually don't know who it is and whether wallets B and C that sent 7 and 3 BTC to wallet A just before did that to pay for something or was the same person covering the trail. You might even be able to trace from wallets B and C to a single initial account, but proving identities of owner(s) is completely different question.

I thought it was always clear that the core point of Bitcoin was to be an anonymous currency,

If so, then they failed miserably.

All of the transactions are publicly recorded. Think about it like a currency started here, arsbucks. It's arguably not a flaw in the currency that if I pay you for a used hard drive you'll probably find out who I "really" am and where I live by virtue of giving me my hard drive.

It's definitely a flaw that anyone else I've done business with can see exactly how many arsbucks I just paid you and correlate that with the ad for your hard drive disappearing.

It also a flaw that the guy who just paid me arsbucks for webhosting can now see that I paid you (or a couple of my own fake arswallets and then you) and lean on you to find out who I am.

Quote:

Like so much else on the Internet, full anonymity and protection only exists so long as someone sticks purely within the electronic anonymous frameworks.

True, but Bitcoin in particular suffers from the additional shortcoming that you can follow a transaction trail back or forwards arbitrarily far. In addition to assisting legitimate law enforcement, the public transaction records could be used to set up to flag individuals who are a couple of financial transactions removed from criminal activity.

Not really. Wallets are not tied to IP addresses or persons and you can have as many as you want.

You can see that wallet A sent 10 BTC to wallet X, but you usually don't know who it is and whether wallets B and C that sent 7 and 3 BTC to wallet A just before did that to pay for something or was the same person covering the trail. You might even be able to trace from wallets B and C to a single initial account, but proving identities of owner(s) is completely different question.

"you usually don't know who it is" is true of me as an individual engaging in a few transactions here and there, but it's not necessarily true of large vendors who can figure out who the purchaser of their services is, ISP's who can watch connections to bitcoin exchanges or vendors and then review the public global transaction log- seriously, you don't have to crack HTTPS to figure out that once a month wallet A is used to pay a web host and that wallet A is almost always refilled via a transfer from Mt. Gox right after customer _X_ at IP 1.2.3.4 connects to their "web banking" link.

With what form of "anonymous" cash can you figure out that a given wallet belongs to me in 2016 and then know a lot about what I spent money on in 2013 by comparing my transactions to a list of known large vendor wallets (Amazon, supermarkets, ...)? That's not anonymous: you could argue that it's pseudonymous, but even so it's a very weak pseudonym.

The ability to correlate transactions with real people if you know one end of the transaction is obvious. Having that compromise leak through to the entire history of the wallet and bitcoins that pass through it is a serious problem which I don't think most people fully appreciate.

Theoretically, I could maintain a large number of wallets and collaborate with other people to launder money, but then I'd be doing something which looks very shady in order to maintain a level of privacy which most people expect as a given.

"you usually don't know who it is" is true of me as an individual engaging in a few transactions here and there, but it's not necessarily true of large vendors who can figure out who the purchaser of their services is, ISP's who can watch connections to bitcoin exchanges or vendors and then review the public global transaction log- seriously, you don't have to crack HTTPS to figure out that once a month wallet A is used to pay a web host and that wallet A is almost always refilled via a transfer from Mt. Gox right after customer _X_ at IP 1.2.3.4 connects to their "web banking" link.

With what form of "anonymous" cash can you figure out that a given wallet belongs to me in 2016 and then know a lot about what I spent money on in 2013 by comparing my transactions to a list of known large vendor wallets (Amazon, supermarkets, ...)? That's not anonymous: you could argue that it's pseudonymous, but even so it's a very weak pseudonym.

The ability to correlate transactions with real people if you know one end of the transaction is obvious. Having that compromise leak through to the entire history of the wallet and bitcoins that pass through it is a serious problem which I don't think most people fully appreciate.

Theoretically, I could maintain a large number of wallets and collaborate with other people to launder money, but then I'd be doing something which looks very shady in order to maintain a level of privacy which most people expect as a given.

IP 1.2.3.4 connected to MtGox, and bought 50 BTC as (A), soon after paid 22 BTC to (B) and 28 BTC to (C), (B) soon receives 4 BTC more from (D) and sends them to a tumbler service. Some time later, (F) pays 10 BTC for anonymous web hosting and (G) buys an Amazon gift card. Meanwhile (C) spends and receives BTC from different sources, including spending some on freshly mined coins. When web hosting runs out it never gets renewed by (F), but some unrelated wallet (H) buys a completely new subscription.

Good luck linking all those together, even though actually they're all the same person.

IP 1.2.3.4 connected to MtGox, and bought 50 BTC as (A), soon after paid 22 BTC to (B) and 28 BTC to (C), (B) soon receives 4 BTC more from (D) and sends them to a tumbler service. Some time later, (F) pays 10 BTC for anonymous web hosting and (G) buys an Amazon gift card. Meanwhile (C) spends and receives BTC from different sources, including spending some on freshly mined coins. When web hosting runs out it never gets renewed by (F), but some unrelated wallet (H) buys a completely new subscription.

Good luck linking all those together, even though actually they're all the same person.

Given a few years of data, it doesn't seem like that hard a problem to me for a seven figure development budget on the tools (well within the realm of possibility for advertising companies or governments). Remember that the goal isn't to prove beyond a reasonable doubt that wallet G is owned by mr rdx of 123 Main Street, New York NY. It's just to catch the low-hanging fruit for marketing or law enforcement purposes.

You could probably maintain several distinct identities, but if they're clustered and ever doing even concealed self-dealing patterns will show up in the long term because every wallet and every bitcoin record is public. Just as one obvious attack: the guy would have to be very very careful to avoid letting weekends, his time zone, his vacations, etc. result in patterns that correlate across his various wallets. It would be extremely hard to make sure that your activity patterns for your various pseudonyms never vary even when you're asleep, hospitalized, climbing in Nepal, etc.

The user can be as careful as he wants, but if he _EVER_ slips up with a given wallet in a way which links it to his "real" identity, all of the past history of that wallet can now be leveraged- not just present and future transactions but also things years in the past.

IP 1.2.3.4 connected to MtGox, and bought 50 BTC as (A), soon after paid 22 BTC to (B) and 28 BTC to (C), (B) soon receives 4 BTC more from (D) and sends them to a tumbler service. Some time later, (F) pays 10 BTC for anonymous web hosting and (G) buys an Amazon gift card. Meanwhile (C) spends and receives BTC from different sources, including spending some on freshly mined coins. When web hosting runs out it never gets renewed by (F), but some unrelated wallet (H) buys a completely new subscription.

Good luck linking all those together, even though actually they're all the same person.

Given a few years of data, it doesn't seem like that hard a problem to me for a seven figure development budget on the tools (well within the realm of possibility for advertising companies or governments). Remember that the goal isn't to prove beyond a reasonable doubt that wallet G is owned by mr rdx of 123 Main Street, New York NY. It's just to catch the low-hanging fruit for marketing or law enforcement purposes.

You could probably maintain several distinct identities, but if they're clustered and ever doing even concealed self-dealing patterns will show up in the long term because every wallet and every bitcoin record is public. Just as one obvious attack: the guy would have to be very very careful to avoid letting weekends, his time zone, his vacations, etc. result in patterns that correlate across his various wallets. It would be extremely hard to make sure that your activity patterns for your various pseudonyms never vary even when you're asleep, hospitalized, climbing in Nepal, etc.

The user can be as careful as he wants, but if he _EVER_ slips up with a given wallet in a way which links it to his "real" identity, all of the past history of that wallet can now be leveraged- not just present and future transactions but also things years in the past.

It's not quite so obvious, no. Wallets might be used once and sleep months between receives and sends.

You need many slip-ups to trace them all. So you found that (C) was same as (A) in my example. Can you prove that (B) was same person, when (A) says it was some guy he paid to paint his fence (this even assuming you have the power to question (A)). Or you might have linked (G) and (A) - given honest tumbling service, how do you find that (F) was another output from same operation? (A) might have just spent it on painting the other side of the fence (no, of course I don't remember anything about that other wallet anymore, officer). You can only reliably trace a line between two endpoints, forks between them can only be assumptions.

IP 1.2.3.4 connected to MtGox, and bought 50 BTC as (A), soon after paid 22 BTC to (B) and 28 BTC to (C), (B) soon receives 4 BTC more from (D) and sends them to a tumbler service. Some time later, (F) pays 10 BTC for anonymous web hosting and (G) buys an Amazon gift card. Meanwhile (C) spends and receives BTC from different sources, including spending some on freshly mined coins. When web hosting runs out it never gets renewed by (F), but some unrelated wallet (H) buys a completely new subscription.

Good luck linking all those together, even though actually they're all the same person.

Given a few years of data, it doesn't seem like that hard a problem to me for a seven figure development budget on the tools (well within the realm of possibility for advertising companies or governments). Remember that the goal isn't to prove beyond a reasonable doubt that wallet G is owned by mr rdx of 123 Main Street, New York NY. It's just to catch the low-hanging fruit for marketing or law enforcement purposes.

You could probably maintain several distinct identities, but if they're clustered and ever doing even concealed self-dealing patterns will show up in the long term because every wallet and every bitcoin record is public. Just as one obvious attack: the guy would have to be very very careful to avoid letting weekends, his time zone, his vacations, etc. result in patterns that correlate across his various wallets. It would be extremely hard to make sure that your activity patterns for your various pseudonyms never vary even when you're asleep, hospitalized, climbing in Nepal, etc.

The user can be as careful as he wants, but if he _EVER_ slips up with a given wallet in a way which links it to his "real" identity, all of the past history of that wallet can now be leveraged- not just present and future transactions but also things years in the past.

It's not quite so obvious, no. Wallets might be used once and sleep months between receives and sends.

You need many slip-ups to trace them all. So you found that (C) was same as (A) in my example. Can you prove that (B) was same person, when (A) says it was some guy he paid to paint his fence (this even assuming you have the power to question (A)). Or you might have linked (G) and (A) - given honest tumbling service, how do you find that (F) was another output from same operation? (A) might have just spent it on painting the other side of the fence (no, of course I don't remember anything about that other wallet anymore, officer). You can only reliably trace a line between two endpoints, forks between them can only be assumptions.

You don't have to have conclusive proof that they're all the same person to compromise anonymity. Heck, even suspecting that two accounts are run by the same entity counts as a compromise of anonymity in a lot of contexts: how about an oppressive government being sure enough that a given person is the political dissident who's been paying for "anonymous" webhosting using "anonymous" currency to break down his door and beat a confession out of him? In some places, "Well, we traced a bit and think it might be him" is quite sufficient for really nasty things to happen.

You can say that Bitcoin obfuscates identity but calling it an anonymous currency when specifically discussing its strengths and shortcomings is very misleading to the public and potential users.

The problem is that any time you put money into the system, or take money out of the system, or get a product from someone, you can be tracked. Anonymity is sharply limited for this very reason.

Sure, you can push bitcoins around the internet all you want. But when you actually spend them on something real, you cease to be anonymous.

It's blatantly obvious that _you_ cease to be anonymous if you walk into a supermarket and pay with bitcoins from a particular wallet.

What _isn't_ blatantly obvious to the public is that, for something which claims to be an anonymous currency, the following situation can happen:

Bob, the political dissident, earns bitcoins from donations to his political blog (obviously, the wallet or wallets to contribute to must be known to people making donations: essentially, the entire public).Charlie, Bob's gardener, is paid from that wallet.Dan the quickie-mart dude accepts some bitcoins from Charlie.

The police show up at the Quickie Mart because even though they have no idea who Bob, Charlie, and Dan are they know that the Quickie-Mart is separated by two degrees of payment from the guy they need to bag. So they intimidate Dan into telling them who Charlie is (or find out via surveillance tape/etc.), intimidate Charlie into telling them who Bob is, and then arrest Bob.

That's about the opposite of an anonymous currency: it's obvious that Dan knows that Charlie has control over the wallet he paid with, but if the currency were really anonymous the oppressive government wouldn't know that the money Charlie spent was possibly* connected to the money which had been donated to Bob because the government wouldn't have a public signed record of which wallets have paid which.

You could argue that the problem was Bob paying for something "real", but the same thing works if Charlie is Bob's "anonymous" webhost that the government intimidates into giving connection logs for. Even if Bob was careful and used a huge number of proxy steps, the government can still hand out a subpoena to the webhost company and to Bob's home ISP (and cell data provider, and nearby coffee shops, ...) and see that the times the webhost received connections and the data quantities exactly match the times and data seen coming out of Bob's house. (yeah, Pipenet, but that doesn't exist and if it did connecting to it would draw unpleasant attention in and of itself in the kinds of places where a political dissident would be afraid)

Because even an anonymous webhost needs to pay people (even if it's volunteer labor, they need to pay for the bandwidth/etc.) you still wind up with a chain of people to identify and leverage back another layer. I suppose a politically committed webhost could accept payments to avoid the pitfalls of being a free host while never actually spending the proceeds to fund business operations but then it wouldn't be a business and there would still have to be a payment trail somewhere.

It's hard to imagine a way to anonymize the money without hypothesizing various entities which intentionally launder money because by yourself even creating a pile of wallets doesn't suffice. Dealing with them would itself be a flag.

Bitcoin may allow pseudonymous _identity_, but it is not an anonymous _currency_.

*Yes, "possibly"- it doesn't take rock-solid mathematical proof to make you sure enough to justify following up on investigative leads.

Like I said yesterday, BitCoin would be next. This only proves that things are going on behind the scenes, probably entailing secret DHS gag orders and the like, as the initial take down of BitCoin starts. To have the expectation that our government would allow people freedom to exchange money without their ability to monitor it was naive.

You talk about wallets like they have an ID number for everyone one but they don't. A wallet is basically just a text file with a bunch of numbers in it. Numbers that each correspond to a usable address. When you send /receive coins they don't necessarily all come from or get delivered to one single address. They get spread out. Like a tip jar or change jar. You drop some money in, and you're total goes up. A while later you go back and find you have $10. But you only need $2 to go get a 40. So you grab up random coins until you have $2 bucks and you go buy a 40. BTC wallets function much in the same way. You can't decide later to only pull out the transactions that gave you quarters and try to use those to pay for your 40. Well you can (~ish) but not by default. You can 'hack' (as in hack job or ghetto rig) together the ability with pywallet, privaddy transfers, and multiple wallets, but its not inherently built in to the protocol and default client.

Also when you spend coins from an address you spend the full amount in the priv addy, and then the client sends back and left over 'change' to a different priv addy from your key pool.

So really once a coin becomes 'dirty'. It taints the entire system. But its better this way because everyone is in the same position. Everyone is spending 'dirty' coins. To link a person specifically to a transaction, you'd have to prove the identity and ownership of the entire chain of accounts and all of its splits up to that specific transaction from the time in which that it was determined to be illegal. You'd then have to show that the person willfully knew where those funds came from and chose to spend them. So yea 2-3 transactions away might be easy to pin down to individual people. But with each spend, the number of possible owners of those coins grows exponentially. One 'bitcoin' only account, or offline account, or one privaddy switch and that chain is broken and ownership would be unable to be proven.

So don't donate to terrorists with the same account you use to ship stuff from amazon. Dur. Digital anything leaves traces everywhere. Maintain a few different accounts/wallets. Shift your money around a few times. Air gap to a cold-storage account, and then priv-key import to another. Swap them through a few exchanges. Etc etc.

Total anonymity is not needed. Plausible deniability and enough obfuscation through separation can achieve the same results.

It's hard to imagine a way to anonymize the money without hypothesizing various entities which intentionally launder money because by yourself even creating a pile of wallets doesn't suffice. Dealing with them would itself be a flag.

Bitcoin may allow pseudonymous _identity_, but it is not an anonymous _currency_.

*Yes, "possibly"- it doesn't take rock-solid mathematical proof to make you sure enough to justify following up on investigative leads.

You can only withdraw from Mt. Launderer in $10^n increments, so $10, $100, $1000, etc.

Mt. Launderer's servers have (like Reddit) something (let's call it a "checker") that checks for a transaction to be verified, then instructs the disburser to disburse X at the end of the day. The checker does not retain these logs, and the disburser never gets the transaction if in the first place. Hell, every time the disburser gets a transaction from the checker, it shuffles the array of disbursements for shits and giggles.

At the end of the day, Mt. Launderer disburses all the funds set to disburse that day. The amounts disbursed only occur in certain common increments. While the blockchain can verify that person A sent X to wallet address Z, there's no strict verification that wallet Z is owned by Mt. Launderer (possibly traceable through Mt. Launderer's eventual money exitpoint), but even if you did establish ownership of Z, with a small set of transactional outputs going to several people, you can't identify "where" person A's funds came from. It may be from only a few potential sources, sure, but you can't actually which of those. Last I checked, "You probably did one of these 100 crimes" isn't actually chargeable ;-) -- and that assumes everyone using Mt. Launderer is nefarious. A single "good" transaction gives every user plausible deniability.

I'd be shocked if something like this (probably cleverer) didn't exist on the darknet.

And I bet tonnes of legitimate people would use it, too. I know I probably would, if I didn't need to go to the darknet to use it.